Skip to content

Commit

Permalink
fix(events): fix hooked_syscall for RHEL 8.x kernels
Browse files Browse the repository at this point in the history
  • Loading branch information
@rafaeldtinoco
rafaeldtinoco committed Oct 27, 2023
1 parent 3c8251d commit 31770da
Show file tree
Hide file tree
Showing 5 changed files with 20 additions and 6 deletions.
8 changes: 7 additions & 1 deletion pkg/ebpf/hooked_syscall_table.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -161,7 +161,13 @@ func (t *Tracee) populateExpectedSyscallTableArray(tableMap *bpf.BPFMap) error {
// Get address to the function that defines the not implemented sys call
niSyscallSymbol, err := t.kernelSymbols.GetSymbolByName("system", events.SyscallPrefix+"ni_syscall")
if err != nil {
return err
e := err
// RHEL 8.x uses sys_ni_syscall instead of __arch_ni_syscall
niSyscallSymbol, err = t.kernelSymbols.GetSymbolByName("system", "sys_ni_syscall")
if err != nil {
logger.Debugw("hooked_syscall: syscall symbol not found", "name", "sys_ni_syscall")
return e
}
}
niSyscallAddress := niSyscallSymbol.Address

Expand Down
4 changes: 2 additions & 2 deletions pkg/events/core_amd64.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1349,8 +1349,8 @@ var SyscallSymbolNames = map[ID][]KernelRestrictions{
431: {{Name: "fsconfig"}},
432: {{Name: "fsmount"}},
433: {{Name: "fspick"}},
434: {{Name: "pidfd_open"}},
435: {{Name: "clone3"}},
434: {{Above: "5.2", Name: "pidfd_open"}},
435: {{Above: "5.2", Name: "clone3"}},
436: {{Above: "5.9", Name: "close_range"}},
437: {{Above: "5.6", Name: "openat2"}},
438: {{Above: "5.6", Name: "pidfd_getfd"}},
Expand Down
4 changes: 2 additions & 2 deletions pkg/events/core_arm64.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1408,8 +1408,8 @@ var SyscallSymbolNames = map[ID][]KernelRestrictions{
431: {{Name: "fsconfig"}},
432: {{Name: "fsmount"}},
433: {{Name: "fspick"}},
434: {{Name: "pidfd_open"}},
435: {{Name: "clone3"}},
434: {{Above: "5.2", Name: "pidfd_open"}},
435: {{Above: "5.2", Name: "clone3"}},
436: {{Above: "5.9", Name: "close_range"}},
437: {{Above: "5.7", Name: "openat2"}},
438: {{Above: "5.7", Name: "pidfd_getfd"}},
Expand Down
7 changes: 6 additions & 1 deletion tests/e2e-inst-signatures/scripts/hijack/Makefile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,12 @@ KBUILD_CFLAGS += -g -Wall
KERNELDIR ?= /lib/modules/$(shell uname -r)/build

hijack.o:
$(MAKE) -C $(KERNELDIR) M=$(PWD) modules
make -C $(KERNELDIR) M=$(PWD) \
CC=gcc LD=ld AR=ar NM=nm STRIP=strip OBJCOPY=objcopy \
OBJDUMP=objdump READELF=readelf HOSTCC=gcc HOSTCXX=g++ \
HOSTAR=ar HOSTLD=ld \
modules
# $(MAKE) -C $(KERNELDIR) M=$(PWD) CC=gcc modules

clean:
rm -f hijack.mod hijack.o hijack.mod.c hijack.mod.o hijack.ko
Expand Down
3 changes: 3 additions & 0 deletions tests/e2e-inst-signatures/scripts/hooked_syscall.sh
View file
Original file line number Diff line number Diff line change
Expand Up @@ -11,5 +11,8 @@ dir="tests/e2e-inst-signatures/scripts/hijack"
cd $dir || exit_err "could not cd to $dir"
make && ./load.sh || exit_err "could not load module"

# Sleep a bit to allow module to load
sleep 3

# Unload module after 30 seconds
nohup sleep 30 > /dev/null 2>&1 && ./unload.sh &

0 comments on commit 31770da

Please sign in to comment.